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We  cannot  solve  our  problems  with  the  same  thinking  we  used  when  we 
created  them. 

—Albert  Einstein 


Today's  media  is  flooded  with  stories  of  cyber  attacks  prompting  a  loss  of  pub¬ 
lic  confidence,  resignations  by  senior  officials,  and  a  significant  near-  and 
long-term  impact  on  our  nation.  Most  of  these  breaches  stem  from  known 
vulnerabilities  in  existing  network  security  architecture,  presenting  a  distinct  danger 
to  our  vital  national  interests.  These  vulnerabilities,  which  vary  in  sophistication, 
could  be  as  simple  as  using  weak  passwords  (e.g.,  default  value,  simple  number 
strings,  or  the  word  password  itself).  Slightly  more  sophisticated  attacks  leverage 
phishing  attempts  through  e-mail  or  social  engineering,  designed  to  elicit  unsafe 
action  or  information  that  would  allow  adversaries  unauthorized  access. 


Disclaimer:  The  views  and  opinions  expressed  or  implied  in  the  Journal  are  those  of  the  authors  and 
should  not  be  construed  as  carrying  the  official  sanction  of  the  Department  of  Defense,  Air  Force,  Air 
Education  and  Training  Command,  Air  University,  or  other  agencies  or  departments  of  the  US  govern¬ 
ment.  This  article  may  be  reproduced  in  whole  or  in  part  without  permission.  If  it  is  reproduced,  the 
Air  and  Space  Power  Journal  requests  a  courtesy  line. 
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V  Senior  Leader  Perspective 


The  notion  of  "defense  in  depth”  has  been  touted  by  leading  security  organiza¬ 
tions  (which  rely  on  the  National  Institute  of  Standards)  as  the  basis  upon  which  a 
security  framework  can  be  developed  to  safeguard  our  networks.  The  depth  in¬ 
cludes  both  physical  security  protections  (walls,  gates,  locks,  guards,  and  computer 
cages)  and  logical  security  measures  (network  firewall  and  intrusion  detection). 
However,  no  matter  how  many  layers  of  network  perimeter  protection  are  em¬ 
ployed,  adversaries  continue  to  overcome  defenses  through  using  a  variety  of  coun¬ 
termoves  or  by  exploiting  poor  cybersecurity  practices. 

Furthermore,  successful  cyber  attacks  highlight  the  fact  that  disciplined  cyber 
hygiene  is  necessary  but  not  sufficient  to  prevent  all  potential  attacks.  Systems  are 
simply  too  complex  to  defer  application  and  data  security  to  the  supporting  net¬ 
work's  defense  appliances  and  infrastructure.  Therefore,  we  propose  that,  from 
their  inception,  applications  must  be  designed  to  protect  themselves  as  stand-alone 
entities  with  security  built-in  and  with  minimal  security  dependence  on  network 
security  appliances  (e.g.,  firewalls). 

As  Secretary  of  Defense  Ashton  Carter  proclaimed  during  a  speech  at  Stanford 
University,  to  keep  systems  secure,  we  must  build  "a  single  security  architecture 
that's  more  easily  defendable  and  able  to  adapt  and  evolve  to  mitigate  current  and 
future  cyber  threats."1  We  propose  that  this  next  evolution  be  a  "designer”  security 
package  at  the  application  level:  the  security-encapsulated  application  and  data  enclave 
(SEADE)  architecture  composed  of  a  virtual  application  data  center  (VADC)  and 
enterprise-level  security  (ELS).  SEADE  will  redirect  the  responsibility  for  an  enterprise- 
level  network  security  perimeter  to  each  application.  It  will  act  as  a  separately  se¬ 
cured  virtual  container  that  offers  users  enhanced  data  access  and  produces  an  ap¬ 
plication  package  that  is  exceedingly  difficult  to  penetrate  and  easy  to  port; 
furthermore,  SEADE  requires  little  maintenance. 

Insufficient  Network  Perimeter  Defense 

In  the  past,  strategic  endeavors  in  this  area  have  focused  on  safeguarding  the  in¬ 
formation  that  resides  within  our  networks  by  building  higher  and  thicker  walls 
around  our  crown  jewels,  posting  gate  guards  that  interrogate  everyone  entering  or 
leaving,  and  establishing  multiple  checkpoints.  These  efforts  attempt  to  mitigate 
accessibility,  the  very  capability  our  modern  networks  have  been  designed  to  pro¬ 
vide.  Clearly,  this  has  been  a  losing  proposition  because  the  cost  to  safeguard  these 
networks  far  exceeds  that  associated  with  attacking  and  penetrating  them.  Criti¬ 
cally,  it  also  impedes  unobstructed  and  timely  access  by  our  forces  to  the  informa¬ 
tion  they  so  critically  need. 

The  current  network  enclave  defense  model  parallels  these  classic  perimeter  de¬ 
fenses  by  restricting  accessibility  to  apparently  valid  users  or  transactions.  However,  it 
does  little  to  define  the  purpose  behind  the  effort.  Thus,  without  a  clear  understanding 
of  what  is  to  be  defended,  we  are  left  with  the  daunting  task  of  defending  everything  in 
our  "house/ fort"  without  having  any  opportunity  to  prioritize  a  specific  effort,  such  as 
those  that  will  likely  have  the  greatest  impact  on  our  ability  to  accomplish  the  mission. 

It  is  imperative  to  note  that  our  traditional  approach  to  protection  using  only  network 
boundaries  is  rendered  useless  when  an  adversary  is  already  inside  the  network.  Based 
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on  recent  events  and  given  current  levels  of  network  complexity,  it  is  unlikely  that 
adversaries  will  appear  via  concentrated  denial-of-service  attacks  as  was  once  the 
case.  Rather,  we  would  be  well  advised  to  conclude  that  such  enemies  already  exist 
within  our  networks.  More  realistically,  they  are  striving  to  hide  their  presence  in 
order  to  harvest  information  that  represents  the  lifeblood  of  our  companies,  plans, 
and/ or  intellectual  property.  Consequently,  the  three  core  considerations  that  must 
be  governed  by  security  measures  are  (1)  accessibility,  (2)  confidentiality  (includ¬ 
ing  the  determination  that  data  is  correct  and  has  not  been  altered),  and  (3)  integ¬ 
rity  (which  relates  to  the  essence  of  our  trust  in  and  reliance  on  information  used  in 
the  decision-making  process).  The  complexity  of  recent  cyber  attacks  has  indeed  in¬ 
creased.  Although  they  were  once  focused  on  pilfering  or  manipulating  data,  such 
attacks  now  seek  not  only  to  steal  critical  data  but  also  to  undermine  its  use  within 
operational  command  and  control  centers.  Indeed,  threats  that  have  remained  dor¬ 
mant  until  triggered  by  a  specific  event  (e.g.,  zero-day  attacks)  can  have  devastating 
consequences  at  the  most  inopportune  times  during  military  operations.  There¬ 
fore,  we  must  elevate  our  awareness  of  such  threats  and  manage  the  associated  risk 
by  determining  what  must  be  defended,  how  such  defenses  will  be  carried  out, 
what  objective  will  be  fulfilled,  and  why  it  is  important.  Ultimately,  networks  that 
continue  to  offer  unfettered  accessibility  (albeit  a  worthwhile  quality)  will  fail  to  se¬ 
cure  the  intellectual  property  that  populates  today's  information  environment. 
Clearly,  then,  we  must  take  a  step  back  and  ask  ourselves  what  we  should  defend. 
Should  we  protect  the  roads  and  highways  (i.e.,  the  network)  leveraged  by  users 
and  adversaries  alike?  Or  should  we  protect  the  data  and  intellectual  property  inside? 

Current  State  of  Enterprise  Defense 

Today’s  perimeter  defenses  are  instrumented  for  network-traffic-based  analysis 
that  assumes  nothing  bad  will  happen  to  applications/ data  if  those  defenses  prevent 
malware  transactions  at  the  entrance.  The  solution— based  on  consistent,  quick 
recognition  of  these  rogue  transactions— works  well  if  one  knows  and  understands 
all  of  the  acceptable  transactions  so  that  the  complement  can  be  characterized  as 
unacceptable  (i.e.,  blacklisting  undesirable  network  traffic). 

Another  defensive  approach  entails  isolating  the  application  from  external  access 
channels,  but  business  requirements  mandate  access  to  areas  inside  the  perimeter  for 
collaboration  (data  sharing),  interaction  (web  services),  mobile/remote  access  (vir¬ 
tual  private  network),  and  business-to-business  links.  Hence,  it  is  extremely  difficult 
to  determine  which  traffic  to  block  because  of  multiple  exceptions  that  must  be  ac¬ 
commodated  for  the  business  to  function.  Blacklisting  has  become  slow  and  unwieldy 
to  maintain  and  does  not  scale  well,  especially  with  the  increasing  adoption  of  IPv6.2 
Whitelisting  at  the  perimeter  level  has  become  unmanageable  due  to  the  thousands 
of  entries  to  maintain.  The  fact  that  the  walls  have  to  allow  a  superset  of  all  of  these 
exceptions  creates  a  porous  perimeter.  Moreover,  adding  new  or  removing  existing 
exceptions  may  cause  unintended  effects  on  other  applications,  typically  discovered 
only  after  implementation.  Further  complicating  the  situation  is  the  continuing 
maintenance  requirement— for  example,  obsolete  exceptions  persist  in  configurations 
because  of  a  failure  to  notify  administrators  to  make  the  updates. 
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Compounding  the  situation  is  the  scaling  of  network  defenses  to  billions  of  trans¬ 
actions.  The  usual  response  to  keeping  pace  with  performance  demands  has  been  to 
increase  the  sophistication  and  scale  of  network  defense  appliances.  Unfortunately, 
these  "improvements"  exert  more  overhead  and  cause  greater  latency  (despite  ap¬ 
pearing  faster  or  more  robust)  and  do  not  always  produce  more  effective  systems. 

There  has  to  be  a  better  way.  To  better  defend  our  information,  not  only  do  we 
need  to  recognize  that  fact  and  account  for  the  adversaries  among  us,  but  also  we 
must  continue  to  operate  within  this  contested  environment.  Since  our  cyber  ad¬ 
versaries  have  made  their  presence  known,  we  must  find  novel  ways  to  defend  the 
vital  information  (today’s  crown  jewels)  that  enables  us  to  maintain  our  competitive 
edge,  all  the  while  accepting  the  idea  that  we  will  be  operating  in  a  contested  envi¬ 
ronment.  As  we  focus  on  protecting  our  property  and  establishing  tighter  security  pe¬ 
rimeters,  we  will  also  develop  the  ability  to  scale  our  approaches  quickly  and  over¬ 
come  continually  increasing  threats. 

In  the  past,  isolated  enclave  architecture  was  the  initial  design  of  the  network- 
each  group  had  its  own  enclave  with  no  outside  connectivity.  The  desire  to  share 
information  led  to  connecting  these  enclaves,  which  generated  some  concern,  but  a 
trust  agreement  existed  between  them.  As  enclaves  became  increasingly  intercon¬ 
nected,  the  level  of  trust  degraded  further,  especially  when  control  was  lost  and 
anonymity  became  pervasive  within  the  World  Wide  Web.  Regaining  this  trust  in¬ 
volved  employing  enterprise  perimeter  defenses  to  control  access  to  information 
and  restricting  data  availability  to  maintain  some  degree  of  confidentiality. 

Although  this  problem  has  long  been  recognized  and  many  alternatives  have 
been  proposed,  only  a  modicum  of  success  has  been  achieved  in  safeguarding  intel¬ 
lectual  property.  The  obvious  alternative  is  to  construct  multiple  layers  of  network 
perimeter  defenses  that  provide  adequate  confidentiality  of  strategic  data.  However, 
this  approach  requires  that  different  settings,  configurations,  or  tool  sets  be  estab¬ 
lished  at  each  point  in  the  layered  defense.  Ultimately,  such  an  action  increases  the 
maintenance  burden  and  produces  delays  in  transaction  flow,  the  combination  of 
which  impedes  timely  dissemination  of  vital  information. 

Incident  Identification/Reaction 

Considering  that  network  perimeter  defenses  are  generating  logs/ alerts  to  billions 
of  transactions  in  a  large  organization,  how  does  one  analyze  these  into  a  coherent 
picture?  Even  more  desirable,  how  can  one  detect  in  "real  time”  that  malware  is  pres¬ 
ent  and  that  an  incident  can  be  prevented?  This  problem  is  difficult  because  little  in¬ 
formation  exists  to  determine  which  application  a  specific  transaction  belongs  to  un¬ 
less  additional  network  defenses  are  placed  in  multiple  locations  in  the  enterprise, 
usually  near  data  centers,  to  record  and  analyze  all  network  traffic.  Of  course,  this 
scenario  generates  even  more  data  for  analysis,  and  one  winds  up  looking  for  the  pro¬ 
verbial  needle  in  a  stack  of  needles.  An  obvious  solution  involves  using  special-pur¬ 
pose  "big  data"  analysis  tools  such  as  predictive  analysis  techniques,  cross-correlation 
analysis,  and  so  forth,  with  plenty  of  storage  for  historical  transactions.  Obviously, 
this  analysis  overhead  further  adds  costs  and  resources  to  defense  efforts.  There 
has  to  be  a  better  way. 
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A  Better  Way 

Since  attacks  continue  despite  our  best  network  perimeter  defenses,  what  if  we 
begin  with  the  assumption  that  adversaries  are  already  on  our  networks?  Conse¬ 
quently,  we  must  adjust  our  threat  model  and  think  differently  to  protect  our  data 
and  intellectual  properties.  What  if  we  decrease  the  attack  surface  down  to  the  ap¬ 
plication  or  data  level  with  the  same  security  capabilities  currently  used  for  perim¬ 
eter  defense  but  specialized  for  the  particular  application  or  data?  This  vision  lies  at 
the  heart  of  the  SEADE  concept,  which  defuses  the  overall  attack  surface  from  gate¬ 
ways  guarding  the  enterprise  network  perimeter  to  thousands  of  individual,  special¬ 
ized  security  enclaves.  The  multitude  of  enclaves,  consisting  of  multiple  products 
and  specialized  configurations,  will  force  the  attacker  to  increase  his  effort  to  pen¬ 
etrate  a  single  application.  Since  each  security  enclave  is  specialized  to  a  specific 
application,  the  attacker  must  customize  attacks  per  application  rather  than  focus 
on  penetrating  the  perimeter  to  expose  the  entire  network.  Thus,  it  will  no  longer 
be  possible  for  adversaries  to  exist  unchallenged  inside  our  networks. 

SEADE— Virtual  Application  Data  Center 

Virtualization  technology,  available  in  the  cloud  or  virtual  data  centers  (VDC),  has 
made  possible  the  virtual  application  data  center  concept.  A  VDC  is  a  software-defined 
data  center  that  supports  "infrastructure  as  a  service"  for  applications.  It  is  a  com¬ 
modity  readily  available  in  many  commercial  and  government  cloud  data  centers. 
We  utilize  a  VDC  to  define  a  VADC.  Essentially,  one  VADC  is  dedicated  to  only  one 
application,  which  is  supported  by  a  platform  as  a  service  (PaaS).  It  consists  of  vir¬ 
tualized  network  monitoring  and  defense  capabilities  like  firewalls  and  deep-packet 
inspection  along  with  its  associated  web  access  point,  database  firewall,  and  tradi¬ 
tional  PaaS  components  of  web  servers,  application  servers,  and  database  servers. 
SEADE-VADC  extends  this  concept  for  each  application. 

A  significant  security  benefit  of  this  architecture  is  that  network  traffic  can  re¬ 
main  encrypted  until  it  enters  the  VADC.  Only  after  packets  enter  the  VADC  are 
they  decrypted  and  inspected.  Within  each  VADC,  the  application  developer  has 
tailored  the  network  inspection  defenses,  which  were  "baked  in"  from  the  design 
phase,  to  the  specific  ports/ protocols,  transaction  size/ format,  parameter  range, 
and  so  forth,  for  that  single  application.3  For  instance,  some  applications  may  be 
tuned  to  support  deep-packet  inspection  with  abnormalities  reported  to  the  appro¬ 
priate  computer  network  defense  service  provider  (CNDSP).  Individual  application 
risk  management  will  drive  the  tailoring  requirements.  The  VADC  will  improve  the 
levels  of  accessibility  and  confidentiality  by  recognizing  specific  threats  immediately 
and  preventing  an  incident  from  occurring. 

SEADE— Enterprise-Level  Security 

ELS  is  a  dynamic  attribute-based  access-control  system  developed  to  reduce  overall  se¬ 
curity  risks  by  automating  the  access  process,  based  on  authoritative,  related  attribute 
information.4  Today,  each  application  has  a  uniquely  configured  access-control 
scheme  maintained  by  system  administrators,  primarily  based  on  users  and  groups, 
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which  can  be  quite  labor  intensive.  In  the  Air  Force,  the  process  is  further  burdened 
by  a  form-based,  administrative-access  approval  process.  As  a  new  paradigm,  ELS 
automates  the  authorization  maintenance  process;  validates  preconditions  for  ac¬ 
cess,  such  as  training,  security  clearance,  rank,  and  so  forth;  and  allows  a  person 
access  when  an  application-owner-defined  set  of  conditions  is  met. 

Accessibility  to  data  is  controlled  by  claims,  based  on  a  person's  (or  an  entity's) 
attributes,  dynamically  generated  and  propagated  when  attributes  change.5  Claims 
can  be  additions,  deprecations,  or  modifications  to  existing  access  rights.  They  are 
transmitted  via  encrypted  channels,  based  on  user-access  requests  in  a  security  as¬ 
sertion  markup  language  (SAML)  token.  A  standard  handler  evaluates  and  validates 
the  token  (content,  timing,  and  authentication)  and  passes  the  claim  for  access  to 
the  application.  Logging  occurs  for  every  access  request,  and  erroneous  access  in¬ 
formation  is  sent  to  the  appropriate  CNDSP.  A  standard  handler  ensures  that  SAML 
validation  and  access  logging  are  performed  correctly,  further  freeing  the  applica¬ 
tion  developer  from  producing  similar  capability. 

ELS  will  improve  the  levels  of  integrity  and  confidentiality  by  preventing  unau¬ 
thorized  data  access.  As  shown  in  the  figure  below,  SEADE  combines  both  concepts 
(VADC  and  ELS)  and  is  delivered  as  two  VDCs— one  for  the  application  (VADC)  and 
the  other  for  the  ELS  claims  engine  (which  includes  the  secure  token  service,  enter¬ 
prise  attribute  store,  and  generated  SAML  claims). 


Enterprise-Level 
Security 


Virtual  Application 
Data  Center 


Cloud  Provider  Application  Program  Interface  Abstraction/Interface  Layer 
Bare  Metal  Type  1  Virtual  Machine 


Commodity  Processors 


Figure.  SEADE  diagram 
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Benefits  of  SEADE 

Employing  SEADE  throughout  a  large  enterprise-level  operation  generates  the  fol¬ 
lowing  benefits: 

•  Enables  application  portability.  SEADE  promotes  such  portability  by  enabling 
applications  to  be  hosted  in  any  virtualized  environment.  Thus,  owners  have 
the  freedom  to  maneuver  applications  where  they  are  needed  to  meet  opera¬ 
tional  and  resiliency  requirements. 

•  Expedites  application  deployment.  Multiple  SEADEs  employed  throughout  the 
enterprise  will  significantly  decrease  the  manpower  associated  with  developing 
and  fielding  an  application.  Since  network  and  application  defenses  are  in¬ 
cluded  in  the  standard  PaaS  environment,  the  application  itself  remains  just 
the  logic  of  the  program  as  it  inherits  all  of  the  security  controls  of  the  PaaS. 
This  architecture  has  demonstrably  decreased  the  time  to  production  from 
months  to  weeks.  Since  a  standard  ELS  handler  may  be  used  for  the  SAML  to¬ 
ken,  the  application  developer  need  only  code  to  the  ELS  handler's  application 
program  interface,  further  decreasing  deployment  time. 

•  Facilitates  accreditation.  Since  applications  are  encapsulated  with  their  own  se¬ 
curity  functions,  porting  them  into  new  hosting  environments  will  be  minimal, 
including  justification  of  security  measures  to  meet  the  accreditation  process. 

•  Eliminates  individual  access  requests.  Dependence  on  form-based  administrative 
processes  will  be  eliminated,  and  system  administrators'  access-management 
burden  will  be  significantly  reduced.  There  will  no  longer  be  user  and  group 
permissions  to  maintain  per  application,  drastically  reducing  the  man-hours 
required  to  perform  this  basic  system-administration  function. 

•  Provides  immediate  user  access.  Users  will  have  immediate  access  to  applications  and 
data,  based  on  their  attributes  (e.g.,  position,  training,  duty  location,  and  so  forth). 
As  soon  as  the  authoritative  data  source  is  updated  with  their  personnel  informa¬ 
tion— say,  to  a  new  assignment— then  users  will  be  granted  access  accordingly. 

•  Includes  “baked-in"  security.  Application  development  will  change  fundamen¬ 
tally  by  baking  in  security  from  the  start.  Developers  will  integrate  network  de¬ 
fense  configurations  (e.g.,  whitelisting)  into  their  VADC.  Further,  they  will  have 
more  options  and  stronger  security-related  capabilities  by  having  various  net¬ 
work  appliances  at  their  disposal.  Developers  must  now  think  holistically  and 
produce  applications  to  respond  to  and  interact  only  with  defined,  valid,  and 
recognized  inputs. 

•  Focuses  incident  reports.  Instead  of  having  cyber  war  fighters  look  at  streams  of 
network  transactions,  trying  to  determine  an  abnormality,  incident  reporting  is 
narrowed  to  the  actual  application  with  detailed  information,  based  on  the  ap¬ 
plication's  tailored  security  profile.  The  CNDSP  will  be  alerted  only  when 
thresholds  are  triggered. 
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•  Reduces  the  number  of  network  administrators.  Network  security  operators  will  no 
longer  have  to  make  network  appliance  configuration  changes  (e.g.,  firewalls, 
proxies,  and  intrusion  detection  systems)  to  "allow  only1'  legitimate  traffic  and 
block  known,  bad  traffic.  Additionally,  less  time  will  be  spent  on  configuration- 
management  meetings  to  approve  mundane  changes  to  network  appliances. 

•  Provides  operational  resiliency.  Since  the  VADC  is  composed  solely  of  virtual 
components,  if  an  abnormality  is  detected,  the  application  can  be  dynamically 
reloaded  from  a  previously  known  good  image,  or  snapshot,  to  continue  pro¬ 
cessing.  As  an  added  resiliency  measure,  SEADE  instances  can  be  spawned  at 
multiple  locations  and  numerous  environments  to  attain  heightened  redun¬ 
dancy  and  increased  mission  assurance. 

•  Enables  continuity  of  operations  (COOP)  and  agility.  By  leveraging  virtualization, 
one  can  provision  applications  in  multiple  environments,  as  well  as  COOP  to 
another  data  center,  provided  that  data  has  been  streamed  to  the  COOP  site. 
This  capability  of  provisioning  anywhere  further  decreases  the  time  for  provi¬ 
sioning  and  provides  significant  mission  agility. 

•  Reduces  insider  threat.  This  new  paradigm  enables  creative  approaches  to  data 
protection.  Vulnerability  to  an  insider  threat  will  be  reduced  since  ELS  will 
block  unauthorized  access  and  track  all  access  to  applications  or  data.  This  in¬ 
formation  can  be  used  to  detect  or  predict  abnormal  activities.  With  appropri¬ 
ate  data-access  tagging,  exfiltrated  data  will  be  unreadable  outside  an  environ¬ 
ment  without  SEADE. 

•  Improves  confidentiality,  integrity,  and  availability.  The  SEADE  combination  of 
ELS  and  VADC  capabilities  significantly  increases  the  confidentiality  and  integ¬ 
rity  of  the  data  by  preventing  unwarranted  access  and  availability  of  the  appli¬ 
cation  (and  data)  by  dynamic  analysis  and  elimination  of  threats  to  the  applica¬ 
tion  itself. 

•  Maintains  CNDSP.  The  current  CNDSP  framework  does  not  have  to  change. 
Alerts  within  each  SEADE  can  be  sent  to  the  appropriate  CNDSP  unit,  which 
will  continue  to  triage  alerts  accordingly. 

Trade-Offs 

The  primary  trade-off  with  employing  SEADE  is  that  instead  of  relying  on  and  de¬ 
ferring  to  network  perimeter  security,  application  developers  now  will  be  respon¬ 
sible  for  considering  application  security  and  ELS  controls  during  design,  test,  and 
development.  The  developers  must  become  intimately  familiar  with  their  applica¬ 
tion  to  address  issues  for  both  expected  and  unknown  stimuli.  This  will  undoubtedly 
increase  the  initial  cost  of  system  development,  but  it  will  ultimately  save  innumer¬ 
able  man-hours  and  will  improve  data  protection.  Developers  will  be  responsible 
for  ensuring  that  security  is  incorporated  from  the  onset  rather  than  waiting  for  op¬ 
erators  to  address  the  need  retroactively. 

Another  trade-off  is  the  building  of  a  supporting  environment  for  SEADE  ser¬ 
vices.  Application  and  functional  owners  must  define  and  govern  attributes  re- 
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quired  to  provide  the  granularity  necessary  for  applications  to  have  the  correct 
level  of  access-control  fidelity.  These  attributes  must  come  from  known,  authorita¬ 
tive  data  sources  that  have  to  be  identified  and  integrated  into  enterprise  attribute 
store  for  ELS’s  use. 

Air  Force  Consolidated  Enterprise  Information  Technology  Baselines 

Today,  technology  moves  so  quickly  that  one  will  never  reach  a  100  percent  best 
solution  in  a  reasonable  amount  of  time.  Agile  solution  delivery  is  the  best  ap¬ 
proach  to  a  problem  via  focused  sprints  and  spiral  development  so  one  can  adjust 
as  the  available  technology  changes.  This  affords  the  ability  to  capitalize  on  and  gar¬ 
ner  strategic  advantage  from  nimble  actions  and  innovative  solutions.  Unfortu¬ 
nately,  this  paradigm  shift  unsettles  many  people  who  expect  predefined  require¬ 
ments  with  predestined  end  points.  However,  this  traditional  approach  only  wastes 
resources  as  the  environment  and  requirement  change  in  their  midst.  As  the  cheese 
constantly  moves  in  technology  and  cyberspace,  we  must  be  adaptable  and  decide 
to  venture  out  to  embrace  the  changes— lest  we  risk  starvation.6  We  must  harness 
and  guide  this  spirit  of  innovation  and  provide  a  framework  for  inserting  new  tech¬ 
nology— methodically  and  expediently— into  our  environment. 

Accordingly,  it  is  in  this  vein  that  the  Air  Force  chief  technology  officer  estab¬ 
lished  and  manages  the  Consolidated  Enterprise  Information  Technology  Baselines 
(CEIT-B)  framework  to  purposely  shape,  adopt,  and  deliver  a  standard  information 
technology  environment.  This  disciplined  effort  conforms  to  the  agile  paradigm  as 
the  future  target  baseline  is  developed.7  SEADE  is  a  substantial  component  of  CEIT-B 
that  addresses  security,  portability,  and  efficiency  requirements.  Additionally,  the 
Air  Force,  through  CEIT-B,  is  addressing  and  informing  the  joint  information  environ¬ 
ment  (JIE)  requirements  for  Department  of  Defense-level  enterprise  requirements. 

Conclusion 

The  Air  Force,  as  a  service,  emerged  from  technology.  We  must  continue  to  harness 
the  same  innovative  spirit  for  cyberspace  that  has  enabled  us  to  dominate  air  and 
space.  Innovation  is  the  fuel  for  future  success,  and  we  must  keep  striving  to  em¬ 
brace  new  ways  of  solving  our  difficult  problems.  SEADE,  comprised  of  a  VADC  and 
ELS,  is  a  fundamentally  different  paradigm  that  will  change  the  way  systems  are 
developed,  deployed,  and  defended.  By  providing  a  separate  security  enclave  for 
applications  in  a  VADC,  enabled  by  ELS  dynamic  access  control,  we  can  protect  our 
most  important  treasure— the  data  within— as  we  continue  to  operate  in  a  contested 
environment.  The  SEADE  architecture  will  increase  the  speed  of  both  user  access 
and  application  delivery  to  the  mission,  decrease  day-to-day  management  of  the 
network  and  applications,  and  counter  the  futility  of  network  perimeter  security.© 
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